Abyss Web Server version 1.0.3 shows file and directory content
Discovered on 2002, June, 30th
Abyss Web Server 1.0.3 is a free personal web server available for Windows and Linux operating systems. This web server can shows file and directory content. Only Windows version of Abyss is vulnerable.
When sending a GET with more than 256 slashes ("/"), then the server shows all files in the directory content. A hacker can see all hidden (non-HTML linked) files and directories on the server. This work only on Windows platforms. On Linux platform, this request is handled, and return a 414 (Request-URI Too Large) error.
The exploit is really easy. You can do it with any browser by using this syntax :
http://<Abyss_server>///////////////////////...(more than 256 times)...///
Of course, replace <Abyss_server> by the vulnerable server.
You will get this page :
The vendor has been informed and has solved the problem.
Download Abyss Web Server 1.0.7
Arnaud Jacques aka scrap